Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
  • G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
  • G06Q50/10—Services
  • G06Q50/26—Government or public services
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
  • H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
  • H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
  • H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
  • H04L9/3066—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
  • H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
  • H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
  • H04L9/3252—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/42—Anonymization, e.g. involving pseudonyms
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/46—Secure multiparty computation, e.g. millionaire problem
  • H04L2209/463—Electronic voting
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
  • H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash

Definitions

• the technique of this paper also offers several advantages over the cut-and-choose technique used in [8].
• the size of proof is dependent on the probability of a cheating prover that is required to satisfy all participants.
• this cheating probability is essentially k/q, where k is the number of elements to be shuffled, and q is the size of the subgroup of Z* in which the elements are encrypted.
• shuffle protocols herein are constructed entirely from elementary arithmetic operations. They are thus simple to implement, and are imminently practical for the anonymous credential application described herein.
• the voting application that occurs immediately is that which employs the usual tabulation/mixing center approach to provide anonymity.
• the protocols of this paper offer important advantages. They are much more efficient, and allow the mixing centers to be completely independent of the authorities who hold some share of the key necessary to decrypt ballots.
• n will be a positive integer
• p and q will be prime integers, publicly known.
• Arithmetic operations are performed in the modular ring Z p (or occasionally Z n ), and g 6 Z p will have (prime) multiplicative order q. (So, trivially, q ⁇ (p — ⁇ ).)
• P will be the prover (shuffler)
• V the verifier (auditor).
• log 5 (x ® g y) log 5 x log g y
• f(x) be a polynomial in Z q [x.
• Xf the (unordered) set of all roots of f.
• V secretly generates, randomly and independently from Z q , k — 1 elements, ⁇ _ . , . . . ⁇ k - ⁇ - V then computes
• V generates a random challenge, 7 E Z q and reveals it to V.
• V computes k — 1 elements, ⁇ ' ⁇ , . . . , r k -_ . , of Z g satisfying
• V accepts the proof if and only if all of the equations in (8) hold.
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Theorem 1 Theorem 1
• Equation (12) If the first column vector of the matrix on the left of equation (12) is not a linear combination of the remaining k — 1 column vectors, then there can be at most one value of 7 E Z q for which equation (9) holds. Thus, if 7 is chosen randomly, there is at most a chance of 1 in q that V can produce ⁇ ' ⁇ , . . . , r k _ ⁇ which convince V.
• the first shuffle proof protocol we construct requires a restrictive set of conditions. It will be useful for two reasons. First, it is a basic building block of the more general shuffle proof protocol to come later. Fortuitously, it also serves a second important purpose. A single instance of this proof can be constructed to essentially "commit" a particular permutation. This can be important when shuffles need to be performed on tuples of Z p elements, which is exactly what is required when shuffling ElGamal pairs, as in the voting application.
• V is required to convince V that there is some permutation, ⁇ 6 ⁇ f c, with the property that for all 1 ⁇ i ⁇ k without revealing any information about x t , y iy ⁇ , c, or d.
• ⁇ 6 ⁇ f c the property that for all 1 ⁇ i ⁇ k without revealing any information about x t , y iy ⁇ , c, or d.
• V generates a random t 6 Z q and gives it to V as a challenge.
• the protocol succeeds (V accepts the proof) if and only if V accepts this ILMPP.
• Theorem 2 The Simple k-Shuffie Proof Protocol is a four-move, public coin proof of knowledge for the relationship in equation (15). It satisfies special soundness, and is special honest- verifier zeroknowledge. The number of exponentiations required to construct the proof is 2k, and the number of exponentiations required to verify it is 4k.
• Remark 7 The observations of remark 2 also apply in this case.
• the challenge t is one of the special values for which
• the challenge t is not one of the special values in 1 above, and the ILMPP is forged.
• V generates randomly and independently ⁇ from Z q and r from Z g — ⁇ 0 ⁇ , computes
• V generates a random ⁇ from Z q and reveals it to V.
• V generates a random t E Z q and gives it to V as a challenge.
• V secretly generates, randomly and independently from Z q , k elements, ⁇ ... ⁇ k . V then computes
• V generates a random challenge, 7 E Z q and reveals it to V.
• V computes k elements, r ⁇ ,...,r k , of Z q satisfying
• V accepts the proof if and only if all of the equations in (20) hold.
• Theorem 3 Simple k-Shuffle Proof Protocol II is a five-move, public coin proof of knowledge for the relationship in equation (15). It satisfies special soundness, and is special honest- verifier zeroknowledge. The number of exponentiations required to construct the proof is k + 4, and the number of exponentiations required to verify it is 2k + 2. If V generates challenges randomly, the probability of a forged proof remains less than or equal to
• V generates 7 from Z q — ⁇ 0 ⁇ , and also ZQ, z randomly and independently from Z q , and computes
• ⁇ p then reveals the ordered sequences A t , B t , C , U t , and W % along with X 0 , 0 , and ⁇ to V.
• V chooses e % randomly and independently from Z q — ⁇ 0 ⁇ and returns the sequence to V.
• V computes for 1 ⁇ i ⁇ k and reveals these to V. 4.
• V generates t E Z q — ⁇ 0 ⁇ and returns it to V as a challenge.
• V accepts the proof if and only if
• Votes are submitted as ElGamal pairs of the form (g a h a ⁇ m) (or a sequence of these pairs if more data is required), where is some standard encoding of the voter choices, the ot % are generated secretly by the voters, and h is a public parameter constructed via a dealer less secret sharing scheme ([7]).
• h is a public parameter constructed via a dealer less secret sharing scheme ([7]).
• the final collection of encrypted ballots is decrypted in accordance with the threshold scheme, and the clear text votes are tabulated in full view by normal election rules.
• the authorities who participate in the sequential shuffles may be arbitrary in number, and they may be completely different from those who hold shares of the election private key.
• the sequence of ballots which are finally decrypted can only be matched with the original sequence of submitted ballots if all of the shuffling authorities collude, since each of their permutations is completely arbitrary.
• V For 1 ⁇ i ⁇ k, V generates a t , b t , u_ and w_ randomly and independently from Z g , and computes
• V generates 7 from Z q — ⁇ 0 ⁇ , and also x 0 , y 0 and t 0 randomly and independently from Z q , and computes
• V then reveals the ordered sequences A ⁇ , B ⁇ , C ⁇ , U ⁇ , and W t along with X 0 , Y 0 , and ⁇ to V.
• V chooses e t randomly and independently from Z q — ⁇ 0 ⁇ and returns the sequence' to V.
• V generates c E Z q — ⁇ 0 ⁇ and returns it to V as a challenge.
• this proof protocol requires V to compute fo + 4 exponentiations, and V to compute 4 ⁇ 4-2 exponentiations.
• H 0 H 7 and executes with V the two Chaum-Pedersen proofs, CV (g, F, G, G 0 ) and CP (,g, T, H, Ho). (Thus proving to V that equations 45 hold.)
• V accepts the proof if and only if
• Shuffling (or mixing) The set of encrypted ballots are mixed. This means that the entire encrypted (and iteratively shuffled) ballot box must be passed sequentially from one authority to another until a sufficient number of mixing stages have been performed.
• Ai, . . . , A n be the sequence of shuffling, or mixing entities, usually called authorities.
• B be a sequence of encrypted ballots. Sequentially, each A t performs the following operations.
• a ⁇ receives
• a ⁇ performs all necessary authentication checks and validity (proof) verifications.
• V 3 receives the sequence X x , . . . , X f c along with proper authentication of its validity.
• V j If a check of the authentication provided in step 2a fails, V j should abort the decryption. Otherwise, for each 1 ⁇ i ⁇ fc, V j computes
• V returns all Z X and C y to a tabulation center.
• the election tally is finally computed by counting the ; as in any election.
• the final output will be a set of decrypted ballots, thus eliminating the need for a seperate decryption phase.
• the final shuffled ballot box. will consist .of elements that are encrypted with a public key which is shared among the remaining t — 1 0 decryption authorities.
• the general s-shuffle s ideally suited to verifiably permuting a set of DSA, or Diffie-Hellman public keys.
• step 3 the voter (shuffler) - who knows one of the private keys s 0 m this case - signs his voted ballot using a DSA signature scheme with group generator (or base), G, and key pair (s 0 , H Q ' ).
• step 4 assuming that the shuffle transcript checks, and that the ballot signature checks, the vote center simply removes H 0 ' from the list of authorized keys, and starts the process again waiting for the next ballot request.
• the new list of public keys is now one smaller, and unless the voter (shuffler) knew more than one private key in the first place, he/she now knows none of the new private keys, and hence can not vote again.
• the resulting election protocol is Universally Verifiable if all the shuffle transcripts and signatures are maintained.
• aspects of the invention can be practiced with other computer system configurations, including Internet appliances, hand-held devices, wearable computers, personal digital assistants ("PDAs"), multiprocessor systems, microprocessor-based or programmable consumer electronics, network PCs, mini computers, cell or mobile phones, set-top boxes, mainframe computers, and the like.
• PDAs personal digital assistants
• aspects of the invention can be embodied in a special purpose computer or data processor that is specifically programmed, configured or constructed to perform one or more of the computer-executable instructions explained herein.
• the term "computer,” as generally used herein, refers to any of the above devices, as well as any data processor.
• the invention can also be practiced in distributed computing environments where tasks or modules are performed by remote processing devices, which are linked through a communications network, such as a Local Area Network (LAN), Wide Area Network (WAN), or the Internet.
• LAN Local Area Network
• WAN Wide Area Network
• program modules or sub-routines may be located in both local and remote memory storage devices.
• the invention described herein may be stored or distributed on computer-readable media, including magnetic and optically readable and removable computer disks, stored as firmware in chips, as well as distributed electronically over the Internet or other networks (including wireless networks).
• portions of the protocols described herein may reside on a server computer, while corresponding portions reside on client computers. Data structures and transmission of data particular to such protocols are also encompassed within the scope of the invention.
• a suitable environment of system 100 includes one or more voter or client computers 102, each of which includes a browser program module 104 that permits the computer to access and exchange data with the Internet, including web sites within the World Wide Web portion 106 of the Internet.
• the voter computers 102 may include bne or more central processing units or other logic processing circuitry, memory, input devices (e.g., keyboards, microphones, touch screens, and pointing devices), output devices (e.g., display devices, audio speakers and printers), and storage devices (e.g., fixed, floppy, and optical disk drives), all well known but not shown in Figure 1.
• the voter computers 102 may also include other program modules, such as an operating system, one or more application programs (e.g., word processing or spread sheet applications), and the like. As shown in Figure 1, there are Nnumber of voter computers 102, representing voters 1, 2, 3 . . . N.
• a database 110 coupled to the server computer 108, stores much of the web pages and data (including ballots and shuffle validity proofs) exchanged between the voter computers 102, one or more voting poll computers 112 and the server computer 108.
• the voting poll computer 112 is a personal computer, server computer, mini-computer, or the like, positioned at a public voting location to permit members of the public, or voters who may not have ready access to computers coupled to the Internet 106, to electronically vote under the system described herein.
• the voter computers 102 may be positioned at individual voter's homes, where one or more voting poll computers 112 are located publicly or otherwise accessible to voters in a public election.
• the voting poll computer 112 may include a local area network (LAN) having one server computer and several client computers or voter terminals coupled thereto via the LAN to thereby permit several voters to vote simultaneously or in parallel.
• LAN local area network
• the term "voter” is generally used herein to refer to any individual or organization that employs some or all of the protocols described herein.
• the system 100 may be used in the context of a private election, such as the election of corporate officers or board members.
• the voter computers 102 may be laptops or desktop computers of shareholders, and the voting poll computer 112 can be one or more computers positioned within the company (e.g., in the lobby) performing the election.
• shareholders may visit the company to access the voting poll computer 112 to cast their votes.
• One or more authority or organization computers 114 are also coupled to the server computer system 108 via the Internet 106. If a threshold cryptosystem is employed, then the authority computers 114 each hold a key share necessary to decrypt the electronic ballots stored in the database 110. Threshold cryptographic systems require that a subset t of the total number of authorities n (i.e., t ⁇ n) agree to decrypt the ballots, to thereby avoid the requirement that all authorities are needed for ballot decryption. In other words, the objective of a threshold cryptosystem is to share a private key, s, among n members of a group such that messages can be decrypted when a substantial subset, T, cooperate - a (t, ⁇ ) threshold cryptosystem.
• Protocols are defined to (1) generate keys jointly among the group, and (2) decrypt messages without reconstructing the private key.
• the authority computers 114 may provide their decryption share to the server computer system 108 after the voting period ends so that the server computer system may decrypt the ballots and tally the results.
• each of the authority computers may perform one shuffle of the ballots, as described herein.
• each authority computer In conjunction with each shuffle, each authority computer generates a shuffle validity proof, which may be encrypted and forwarded to the server computer 108, or stored locally by the authority computer.
• an additional set of authority computers are provided, where one set of authority computers shuffle the encrypted ballots and generate shuffle validity proofs, while the second set of authority computers employ keys shares for decrypting the ballots.
• One or more optional verifier computers 130 may also be provided, similar to the authority computers 114.
• the verifier computers may receive election transcripts to verify that the election has not been compromised.
• the verifier computers may receive the shuffle validity proofs from each of the authority computers, as described herein.
• the verifier computers may perform verifications after the election, and need not be connected to the Internet. Indeed, the verifications may be performed by other computers shown or described herein.
• the server, verifier or authority computers may perform voter registration protocols, or separate registration computers may be provided (not shown).
• the registration computers may include biometric readers for reading biometric data of registrants, such as fingerprint data, voice fingerprint data, digital picture comparison, and other techniques known by those skilled in the relevant art. Voter registration and issuing anonymous certificates for use with verifiable shuffles is described below.
• the server computer 108 includes a server engine 120, a web page management component 122, a database management component 124, as well as other components not shown.
• the server engine 120 performs, in addition to standard functionality, portions of an electronic voting protocol.
• the encryption protocol may be stored on the server computer, and portions of such protocol also stored on the client computers, together with appropriate constants. Indeed, the above protocol may be stored and distributed on computer readable media, including magnetic and optically readable and removable computer disks, microcode stored on semiconductor chips (e.g., EEPROM), as well as distributed electronically over the Internet or other networks.
• EEPROM electrically erasable programmable read-only memory
• portions of the protocol reside on the server computer, while corresponding portions reside on the client computer.
• the server engine 120 may perform all necessary ballot transmission to authorized voters, ballot collection, verifying ballots (e.g., checking digital signatures and passing verification of included proofs of validity in ballots), vote aggregation, ballot decryption and/or vote tabulation.
• the server engine 120 simply collects all electronic ballots as a data collection center. The electronic ballots are then stored and provided to a third party organization conducting the election, such as a municipality, together with tools to shuffle ballots, decrypt the tally and produce election results.
• election audit information such as shuffle validity proofs and the like may be stored locally or provided to a municipality or other organization.
• the web page component 122 handles creation and display or routing of web pages such as an electronic ballot box web page, as described below.
• Voters and users may access the server computer 108 by means of a URL associated therewith, such as http: ⁇ www.votehere.net, or a URL associated with the election, such as a URL for a municipality.
• the municipality may host or operate the server computer system 108 directly, or automatically forward such received electronic ballots to a third party vote authorizer who may operate the server computer system.
• the URL or any link or address noted herein, can be any resource locator.
• the web page management process 122 and server computer 108 may have secure sections or pages that may only be accessed by authorized people, such as authorized voters or system administrators.
• the server computer 108 may employ, e.g., a secure socket layer ("SSL") and tokens or cookies to authenticate such users.
• SSL secure socket layer
• the system 100 may employ such simple network security measures for gathering and storing votes as explained below, rather than employing complex electronic encrypted ballots, as described in the above-noted patent application.
• Methods of authenticating users (such as through the use of passwords), establishing secure transmission connections, and providing secure servers and web pages are known to those skilled in the relevant art.
• the election scheme and system may use a "bulletin board” where each posting is digitally signed and nothing can be erased.
• the bulletin board is implemented as a web server.
• the "ballot box” resides on the bulletin board and holds all of the encrypted ballots. Erasing can be prevented by writing the web server data to a write-once, read-many (WORM) permanent storage medium or similar device.
• WORM write-once, read-many
• aspects of the invention may be employed by stand alone computers.
• aspects of the invention may also be employed by any interconnected data processing machines. Rather than employing a browser, such machines may employ client software for implementing aspects of the methods or protocols described herein.
• a schematic diagram illustrates a basic application of the shuffle protocol to an election, shown as a method 200.
• three encrypted ballots are submitted, one each for voters Joe Smith, Sally Jones, and Ian Kelleigh.
• the list or roll of voters is separated from the encrypted ballots, which are shown in block 206.
• a one-way reencryption of the ballots is performed to produce a shuffled set of ballots, shown in block 208.
• a shuffle validity proof is generated based on this first shuffle, shown in block 210.
• the shuffle validity proof allows a third party to ensure that all input data (the ballots) had the same operation applied to them, and that no altering of the ballots had been performed.
• a second shuffle of the (previously shuffled) ballots is performed, to generate a second shuffled set of ballots, shown as block 212.
• a shuffle validity proof is generated, shown in block 214.
• the shuffled ballots of block 212 are shuffled a third time, to produce a final shuffled set of ballots under block 216.
• a third validity proof 218 is likewise generated based on the third shuffle.
• a three-by-three shuffle array is provided under this example.
• the ballots are decrypted to produce a tally, shown as block 220.
• a third party may verify that the election by analyzing, among other things, each shuffle validity proof to ensure that each shuffler has preserved election integrity.
• the shuffle protocol is presented above as effectively separate subroutines that may be employed for various applications, such as in a electronic voting scheme.
• a first subroutine provides the functionality of scaled, iterated, logarithmic multiplication proofs between a prover and a verifier.
• a second subroutine provides the functionality of a simple shuffle protocol and employs the scaled, iterated, logarithmic multiplication proofs.
• a third subroutine implements general shuffle functionality, where the shuffler does not know the exponents, building upon the second subroutine of the simple shuffle.
• a fourth subroutine extends the third subroutine to shuffling k tuples of elements. Other routines are of course also provided.
• the concepts of the invention can be used in various environments other than the Internet.
• the concepts can be used in an electronic mail environment in which electronic mail ballots, transactions, or forms are processed and stored.
• a web page or display description e.g., the bulletin board
• a web page or display description may be in HTML, XML or WAP format, email format, or any other format suitable for displaying information (including character/code based formats, bitmapped formats and vector based formats).
• various communication channels such as local area networks, wide area networks, or point-to-point dial-up connections, may be used instead of the Internet.
• the various transactions may also be conducted within a single computer environment, rather than in a client/server environment.
• Each voter or client computer may comprise any combination of hardware or software that interacts with the server computer or system.
• These client systems may include television-based systems, Internet appliances, mobile phones/PDA's and various other consumer products through which transactions can be performed.
• a "link” refers to any resource locator identifying a resource on the network, such as a display description of a voting authority having a site or node on the network.
• resource locator identifying a resource on the network
• hardware platforms such as voter computers, terminals and servers, are described herein, aspects of the invention are equally applicable to nodes on the network having corresponding resource locators to identify such nodes.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Theoretical Computer Science (AREA)
• Business, Economics & Management (AREA)
• General Physics & Mathematics (AREA)
• Physics & Mathematics (AREA)
• Mathematical Analysis (AREA)
• Mathematical Optimization (AREA)
• Mathematical Physics (AREA)
• Pure & Applied Mathematics (AREA)
• Tourism & Hospitality (AREA)
• Computing Systems (AREA)
• Algebra (AREA)
• Development Economics (AREA)
• Educational Administration (AREA)
• Health & Medical Sciences (AREA)
• Economics (AREA)
• General Health & Medical Sciences (AREA)
• Human Resources & Organizations (AREA)
• Marketing (AREA)
• Primary Health Care (AREA)
• Strategic Management (AREA)
• General Business, Economics & Management (AREA)
• Management, Administration, Business Operations System, And Electronic Commerce (AREA)
• Storage Device Security (AREA)
• Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Applications Claiming Priority (9)

Publications (1)

Family

ID=27502021

Family Applications (1)

Country Status (7)

Cited By (1)

Families Citing this family (77)

Citations (1)

Family Cites Families (38)

• 2002
  • 2002-03-25 KR KR1020067001213A patent/KR100727281B1/ko not_active IP Right Cessation
  • 2002-03-25 EP EP02719353A patent/EP1374188A2/de not_active Withdrawn
  • 2002-03-25 WO PCT/US2002/009264 patent/WO2002077929A2/en not_active Application Discontinuation
  • 2002-03-25 US US10/484,931 patent/US7360094B2/en not_active Expired - Fee Related
  • 2002-03-25 CA CA002441304A patent/CA2441304C/en not_active Expired - Fee Related
  • 2002-03-25 JP JP2002575894A patent/JP4235453B2/ja not_active Expired - Fee Related
  • 2002-03-25 CN CNA028071840A patent/CN1535451A/zh active Pending

Patent Citations (1)

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events